First SMS Trojan detected for smartphones running Android

Mr Bloat

http://www.kaspersky.com/news?id=207576152

First SMS Trojan detected for smartphones running Android

Kaspersky Lab, a leading developer of secure content management solutions, announces that the first malicious program classified as a Trojan-SMS has been detected for smartphones running on Google’s Android operating system. Named Trojan-SMS.AndroidOS.FakePlayer.a, it has already infected a number of mobile devices.

The new malicious program penetrates smartphones running Android in the guise of a harmless media player application. Users are prompted to install a file of just over 13 KB with the standard Android extension .APK. Once installed on the phone, the Trojan uses the system to begin sending SMSs to premium rate numbers without the owner’s knowledge or consent, resulting in money passing from a user’s account to that of the cybercriminals.

The Trojan-SMS category is currently the most widespread class of malware for mobile phones, but Trojan-SMS.AndroidOS.FakePlayer.a is the first to specifically target the Android platform. It should be noted that there have already been isolated cases of devices running Android being infected with spyware. The first such program appeared in 2009.

“The IT market research and analysis organization IDC has noted that those selling devices running Android are experiencing the highest growth in sales among smartphone manufacturers. As a result, we can expect to see a corresponding rise in the amount of malware targeting that platform,” says Denis Maslennikov, Mobile Research Group Manager at Kaspersky Lab. “Kaspersky Lab is actively developing technologies and solutions to protect this operating system and plans to release Kaspersky Mobile Security for Android in early 2011.”

Kaspersky Lab recommends that users pay close attention to the services that an application requests access to when it is being installed. That includes access to premium rate services that charge to send SMSs and make calls. When a user agrees to these functions during the installation of an application, the smartphone may then be able to make calls and send SMSs without further authorization.

The signature for Trojan-SMS.AndroidOS.FakePlayer.a has already been added to Kaspersky Lab’s antivirus databases.

I wonder how prevalent this is going to become, will we eventually end up having to pay out for AV/AS on our handsets? For now, to protect yourself, make sure the Unknown Sources option is unticked under Settings\Applications and watch what permissions anything you are installing is looking for.

Abelloid

Is the apk embedded in the sms? Or does it just have a link to download it? Does it auto install?

Non-story from a company with something to gain from creating fear amongst Android users IMHO.

28064212

Frankly, if someone is foolish enough to install an apk that they get in an SMS (and ignore the permissions explicity asked for), there's not much Google or anybody else can do for them

Keano

JustinOval wrote: »

Is the apk embedded in the sms? Or does it just have a link to download it? Does it auto install?

Non-story from a company with something to gain from creating fear amongst Android users IMHO.

Exactly my first thought.

PogMoThoin

Mr Bloat

JustinOval wrote: »

Is the apk embedded in the sms? Or does it just have a link to download it? Does it auto install?

Non-story from a company with something to gain from creating fear amongst Android users IMHO.

Who would you have trusted this news from? McAfee, Symantec, Trend? They all have something to gain from creating 'fear' but they monitor malware trends just as much as Kaspersky do.

28064212 wrote: »

Frankly, if someone is foolish enough to install an apk that they get in an SMS (and ignore the permissions explicity asked for), there's not much Google or anybody else can do for them

I agree that someone would want to be pretty stupid to get hit by this but the link to install doesn't necessarily come from an sms, it can come from an email, website link, whatever. Say a buddy of yours got a virus on his pc and it generated a mail to you saying click here for a new Android media player. There's a chance you might hit the link and install the .apk without taking much notice of the permissions that the app is being granted. Maybe you wouldn't but there are people out there that will.
What matters here is that malware is being developed for Android and it shouldn't be dismissed out of hand just because it may only affect the stupid.

28064212

Mr Bloat wrote: »

I agree that someone would want to be pretty stupid to get hit by this but the link to install doesn't necessarily come from an sms, it can come from an email, website link, whatever. Say a buddy of yours got a virus on his pc and it generated a mail to you saying click here for a new Android media player. There's a chance you might hit the link and install the .apk without taking much notice of the permissions that the app is being granted. Maybe you wouldn't but there are people out there that will.
What matters here is that malware is being developed for Android and it shouldn't be dismissed out of hand just because it may only affect the stupid.

Where's the follow-on from that? Is there some way for Google to prevent attacks of this nature? No, not without locking the OS down until it's virtually unusable. They'd have to make texting premium numbers require rooting to block this specific attack. Is publicising this attack going to do any good? No, because anyone who reads this level of tech news would know not to click on it anyway

Abelloid

Mr Bloat wrote: »

Who would you have trusted this news from? McAfee, Symantec, Trend? They all have something to gain from creating 'fear' but they monitor malware trends just as much as Kaspersky do.

I'm not denying there are malicious apps, it's the SMS bit that winds me up - SMS trojan? Is it installed without your permission, via unsolicited SMS?

jeromeof

I don't think it installs via SMS, it just sends SMS messages to premium numbers in the background without your permission (well technically the app apparently does show that it request permission to send sms messages when its installed).

As people have said you would have to be pretty stupid to go to a third party website (where the .apk file was actually hosted) and download this. But possible with the lack of a commercial Market in ireland might drive people outside the Market to these alternative android markets, so it is probably good to point this out to new Android users. Just like PC users often try to get commercial software from "alternative sources" and potentially end up with a virus/malware for their troubles.

The real danger would definitely be if it did actually send an SMS (or Email link to itself) to all your contacts without you knowing it. Then this would become more of a virus than just some stupid malware application.

Abelloid

jeromeof wrote: »

I don't think it installs via SMS, it just sends SMS messages to premium numbers in the background without your permission (well technically the app apparently does show that it request permission to send sms messages when its installed).

Ah, OK.

Mr Bloat

28064212 wrote: »

Where's the follow-on from that? Is there some way for Google to prevent attacks of this nature? No, not without locking the OS down until it's virtually unusable. They'd have to make texting premium numbers require rooting to block this specific attack. Is publicising this attack going to do any good? No, because anyone who reads this level of tech news would know not to click on it anyway

So if someone writes malware that attacks Android it shouldn't be publicised? Where's the logic in that?
One follow on that I would think is reasonable is to have an additional warning system to the permissions page - one which pops up after an app is installed when it attempts to access something like sms or the dialer. A simple warning like "app x wants to send a sms, do you want to allow this", similar to the warnings which pop up when an app want SU access after rooting.

partyatmygaff

Quite a simple way to end all of this. Create a database of all premium phone prefixes and then have it hook on to the dialer and SMS application and then have it ask for a password if the phone attempts to dial/text a premium number.